Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RecoveryCodeReplaced dispatched twice when two-factor.login receive a valid recovery code #592

Open
joke2k opened this issue Feb 5, 2025 · 3 comments
Open

RecoveryCodeReplaced dispatched twice when two-factor.login receive a valid recovery code #592

joke2k opened this issue Feb 5, 2025 · 3 comments
Labels
help wanted

Comments

@joke2k
Copy link

joke2k commented Feb 5, 2025

Fortify Version

1.25.3

Laravel Version

10.48.27

PHP Version

8.1

Database Driver & Version

No response

Description

The TwoFactorAuthenticatedSessionController dispatches a RecoveryCodeReplaced event

fortify/src/Http/Controllers/TwoFactorAuthenticatedSessionController.php

Lines 57 to 64 in 1711276

public function store(TwoFactorLoginRequest $request)
{
$user = $request->challengedUser();
if ($code = $request->validRecoveryCode()) {
$user->replaceRecoveryCode($code);
event(new RecoveryCodeReplaced($user, $code));

but User::replaceRecoveryCode already dispatches the exact same event

fortify/src/TwoFactorAuthenticatable.php

Lines 47 to 57 in 1711276

public function replaceRecoveryCode($code)
{
$this->forceFill([
'two_factor_recovery_codes' => encrypt(str_replace(
$code,
RecoveryCode::generate(),
decrypt($this->two_factor_recovery_codes)
)),
])->save();
RecoveryCodeReplaced::dispatch($this, $code);

I’m not sure where it would make the most sense to keep the dispatch, but I think it’s reasonable to avoid triggering it twice.

Steps To Reproduce

public function test_two_factor_challenge_with_recovery_code_dispatches_RecoveryCodeReplaced_twice()
    {
        Event::fake();

        $user = UserWithTwoFactor::forceCreate([
            'name' => 'Taylor Otwell',
            'email' => '[email protected]',
            'password' => bcrypt('secret'),
            'two_factor_recovery_codes' => encrypt(json_encode(['invalid-code', 'valid-code'])),
        ]);

        $response = $this->withSession([
            'login.id' => $user->id,
            'login.remember' => false,
        ])->withoutExceptionHandling()->post('/two-factor-challenge', [
            'recovery_code' => 'valid-code',
        ]);

        Event::assertDispatchedTimes(RecoveryCodeReplaced::class, 2);
    }
@developerluanramos
Copy link

@joke2k Can I try to resolve this one ?

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2025

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@joke2k
Copy link
Author

joke2k commented Feb 6, 2025

@developerluanramos sure you can consider that recently the dispatch was added to the Authenticable trait by this PR #564
and all other package events are raised within action classes.

Considering this I would remove revert that PR completely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crynobone @joke2k @developerluanramos